For a few years now there has been a growing discussion around digital transformation, aka digitization, digital business transformation, or business transformation. A lot of people see the word "digital" and immediately tune out, assuming it's an IT thing. Critical to understand, however, is that digital transformation centers on the realization that technology underlies almost everything organizations do and that business strategies must evolve to leverage the opportunities presented by the pace of technological advances. Consider that 20 years ago the internet was an "IT" thing, not well understood beyond the technology mystics of the time. Today, the operating models of many of the most valuable businesses in the world rely on the internet and all employees must have expert knowledge to thrive.
The imperative to transform arises because we are experiencing three significant changes at the same time: changes to demand, changes to the competitive landscape, and changes to technology. Breaking these three factors down from internal audit's perspective illustrates the transformation imperative:
Changes to stakeholder/client demand. Given the amount of responsibility and liability being placed on boards and audit committees, plus boards' growing interest in transparency, involvement in strategy, and oversight of risk management, it is easy to begin to see the opportunity internal audit has to fill in the gaps. However, boards, audit committees, and C-suites do not necessarily understand how internal audit can help given the confusion around internal audit's role (traditional accounting/finance vs. risk-based).
Changes to the competitive landscape. This is where internal audit leaders need to be very nervous. There are a lot of people knocking on the doors of boards and audit committees. Internal audit is just one of many, including chief risk officers, chief compliance officers, chief information security officers, general counsel, and others, all with expertise and a lot to say to an audience with very limited availability. The role of chief audit executive (CAE) is sometimes being blurred with second line of defense functions like risk and compliance. Combined, these represent a growing challenge for internal audit to not get trampled in the stampede and demonstrate its unique value.
Changes to technology. Cloud computing, the internet of things, artificial intelligence (AI), blockchain, and augmented reality are just a few of the technologies impacting how organizations are run. Operating models are changing. New businesses that weren't possible a few years ago have transformed entire business sectors and, in some cases, have wiped out legacy corporations. As technology transforms business, is internal audit keeping pace?
Enter, digital transformation. Digital transformation is about reinventing operations. It's about accelerating business models, processes, and all sorts of organizational activities to leverage the opportunities presented by a variety of developed and emerging technologies, while addressing changing stakeholder expectations and shifting competitive factors. Above all, digital transformation represents a changing mindset where leaders challenge the status quo and innovate in ways that allow their functions to better meet stakeholder demand and effect positive change more efficiently. It's no longer about
how we have done it in the past. It's about
how we need to do it to survive and flourish in the future.
Consider the typical approach to internal auditing. The biggest change in the last couple of decades has been the implementation of automated workflows, typically in the form of electronic workpapers or audit management systems. Many of today's audit management systems offer some interesting functionality. That said, my interaction with CAEs has led me to believe that automation is implemented simply as a repository for workpapers and to bring efficiency to review and sign-off. Functionality beyond that is often referred to as too complex or time-consuming and the underlying value of these tools goes underused at best. In other words, instead of looking at these tools as an opportunity to rethink our processes, we use them to mirror what we did before, in a slightly more efficient way (hopefully).
Digital transformation goes beyond that, challenging our way of thinking. Below are some examples of how we could digitally transform internal audit:
|||Traditional Internal Audit Model||Internal Audit Digital Transformation Model|
Internal Audit Objective
Audit key risks areas of the organization and provide management and the board with insights and recommendations on the effective management of key risks. The goal is to assist the organization in achieving its objectives.
Leveraging internal audit's business intelligence portal, data from across the organization is coupled with lessons from audits of key risk areas. This allows internal audit to provide the board with strategic insights in support of its need for transparency and its ability to guide the organization's strategy while providing appropriate oversight of risk management. (Note that internal audit's focus leans more toward the board than the C-suite).
Risk Assessment and Planning
Based on interviews with management and ad hoc data analytics, internal audit develops and presents an annual plan for approval by the audit committee. Success is measured by completion of the plan.
Automated and real-time key risk indicators, predictive analytics, and AI drive the audit plan. The audit plan evolves from an annual plan to a real-time plan. Internal audit’s plan is based on agility, and it executes audits where and when they are needed. Predictive models demonstrate the impact an audit could have even before it has begun. Success is measured by impact and board/audit committee satisfaction. Internal audit is more focused on strategic risks. Routine audits, such as Sarbanes-Oxley and time and expense, are almost entirely performed via robotic process automation (RPA).
Audit engagements are generally linear as auditors progress from one step to the next. Data comes from the business unit or from IT as “requests” from the auditor. Data analytics are ad hoc and/or forced as separate steps in the engagement.
Internal audit’s real-time access to systems and data drives the engagement. Auditors are armed with the information they need to drill down to root causes and can more effectively prioritize work on the areas that need the most attention. Internal audit’s broad view of the organization and its data allows it to more effectively connect the dots for management and the board. Skilled in AI and RPA, internal auditors are programming on the fly, building models and process intelligence tools to be shared across the organization.
Internal audit delivers an audit report detailing its methodology and laying out findings and recommendations. Management responds with an action plan and internal audit follows up periodically to ensure implementation.
Internal audit collaborates closely with management throughout the engagement. The audit is seen as an opportunity to educate and inform. Auditors share data, information, and lessons learned throughout. The need for a formal audit report is replaced with continuous communication via a knowledge-sharing platform. As insights were gained throughout the audit, auditors leverage RPA or intelligent process automation to address broken processes or controls. Auditors have implemented continuous monitoring of key risks.
These are just a few examples, and you may have many different ideas. I encourage you to comment and share them. The point is that we step back, recognize the significant change happening around us, and be open to new ways of thinking around how internal audit can transform to maximize the value we bring to organizations.
That's my point of view. I'd be happy to hear yours.